Correct syntax for hosts (whitelist for Snort)



  • Hello, first post here. I am very happy with pfSense, please don't ask me why I didn't run it until now :) even if I heard about it for years in TechSnap and LAS and others. But as always with noobs I have a few problems, mainly Snort ones.
    1. I have a /27 subnet, correctly configured and working, and a couple of servers in it (LAN)
    2. Snort is blocking tons of connections; I did follow your tutorials, did some reading and a lot of googling. And it is working but it blocks also legitimate connections. So as I understand I just have to do a lot of work and "customise" the Snort exceptions; I just don't want to throw whole rules as I did with mod_security lol
    3. Of course, I use an Alias for whitelisting and there I chosen "hosts" as it is my understanding that I can fill domain names and also IPs, subnets etc.
    Sometimes when I connect with VPN (just to access the interface, which accessible only in LAN) I am locked out due to UDP scanning - fine added my IP, but as I am tunelling from an DHCP connection this doesn't help me much. So what can I do here? [SOLVED] > reduced the threshold to "Low" for now, "Medium" was too strong.
    4. OMG it's blocking search engines - how can I whitelist those? If I am filling an IP in the Alias it is fine, no more banning. But the little clowns are of course also using other IPs - so I filled some fields with:
    google.com
    googlebot.com
    msn.com
    facebook.com
    you.get.it

    But it doesn't seem to work. So what is the correct way to input those big providers? With wildcards for the subdomains? And are those resolved (read somewhere that they are, on schedule, and all IPs added automatically), how to check if they are? Where can I find more info on the subject?

    BTW I am on the "Connection" setting, so it shouldn't be THAT aggressive…



  • You cannot use FQDN (fully qualified domain names) in Snort.  It will not resolve them to their IP address.  This is currently a limitation of the plugin that provides the blocking function.

    So you can't whitelist something like *.google.com", for instance.

    Most of those rules that are firing I bet are from the HTTP_INSPECT preprocessor.  Many of those will false positive as they are very strictly analyzing and comparing web traffic to RFC standards.  Unfortunately, many web servers do not adhere rigidly to those standards.  I recommend following the advice of the Snort Master Suppress List thread (search for it in the Packages forum) and add suppress entries for a bunch of the HTTP_INSPECT rules.  You can also just disable those completely.

    Bill



  • Thanks for the info, I was already on the right track, but good to have a confirmation! One has only so much time for reading. The thread you are mentioning is very interesting and I am reading it whole; thanks once again, the forum suppression topic already helped a lot.

    This is [/SOLVED]